hey david,
pf is run twice on packets going through a box, once before the network stack
and again as it leaves it. this means you have to allow a packet in one side
as well as when it goes out the other.
dlg
On 17/05/2011, at 10:16 PM, David Schulz wrote:
> Hi all,
>
> i have a LAN within a LAN and the setup is as follows:
>
> 192.168.1.0/24 <-- OpenBSD 4.9 Router with 2 NICS --> 10.1.0.0/21
>
> My goal is to get both Sides talking to each other (lets start with making
> them be able to ping each other). I got it working by using the following
> pf.conf, however i thought i should not need to have those match out
> statements, because OpenBSD routes packets between interfaces by default as
> long sysctl net.inet.ip.forwarding=1 is set.
>
> From inside my OpenBSD Box i can ping Devices on either Side just fine. From
a
> machine sitting on either Side, i can ping the OpenBSD Box just fine. But i
> simply cannot get Side A Machines to talk to Side B Machines unless i
> uncomment the two below match out statements inside my pf.conf.
>
> If someone could share some insight, id be most thankful.
>
> regards,
> D
>
> Here my simplified pf.conf which again does not work unless i uncomment the
> two match out Rules:
> ++++++++ pf.conf
> int_if="sis0"
> ext_if="sis1"
>
> icmp_types = "{ echoreq, unreach }"
>
> set require-order yes
> set block-policy return
> set optimization normal
> set loginterface $ext_if
>
> match in all scrub (no-df)
>
> set skip on lo
>
> #match out on $int_if from 192.168.1.0/24 to any nat-to ($int_if)
> #match out on $ext_if from 10.1.0.0/21 to any nat-to ($ext_if)
>
> block log all
>
> #Simplified for 'making it work purposes'
> pass out quick
> pass in quick
>
> antispoof quick for { lo0 $int_if $ext_if } inet
>
> # allow ICMP
> pass in quick on { $int_if $ext_if } inet proto icmp all icmp-type
$icmp_types
> keep state
> ++++++++
>
> ++++++++ route -n
> cndlne001'root(~)> route -n show | grep default
> default 10.1.3.1 UGS 0 23106 - 8
sis0
>
> cndlne001'root(~)> route -n show | grep 192.168.1
> 192.168.1/24 link#2 UC 2 0 - 4
sis1
